1. Add provisioning of cloud_admin_access_only

Enable cloud_admin_access_only by default. Add a parameter --no_multi_tenancy to setup-vnc-collector to disable cloud_admin_access_only. Remove templates for ini files for contrail-analytics-api, contrail-collector, and contrail-query-engine and for conf file of contrail-analytics-api Partial-Bug: #1461175 (cherry picked from commit ec3c174) Conflicts: contrail_provisioning/collector/setup.py 2. Rename multi_tenancy to aaa_mode for analytics API Partial-Bug: #1599654 (cherry picked from commit 97c3c39) Conflicts: contrail_provisioning/collector/setup.py 3. Fix provisioning failure in setup-vnc-collector Configure memcache servers in /etc/contrail/contrail-keystone-auth.conf only from config node setup Closes-Bug: #1606654 (cherry picked from commit 98de681) Conflicts: contrail_provisioning/common/base.py 4. Rename multi_tenancy to aaa_mode in upgrade path for analytics node Closes-Bug: #1607469 (cherry picked from commit b8f4c69) 5. Changes to bring analytics authenticated access in sync with config 1. Rename aaa_mode value cloud-admin-only to cloud-admin 2. CLOUD_ADMIN_ROLE defaults to admin instead of cloud-admin Partial-Bug: #1607563 (cherry picked from commit 3e8d841) Conflicts: contrail_provisioning/collector/setup.py Change-Id: I56dd3e14a7a2ad8d676decf3dbbb2170170a957b
Juniper · Aug 5, 2016 · e1f2af6 · e1f2af6
1 parent ae9236d
commit e1f2af6
Show file tree

Hide file tree

Showing 8 changed files with 89 additions and 141 deletions.
diff --git a/contrail_provisioning/collector/setup.py b/contrail_provisioning/collector/setup.py
@@ -8,13 +8,9 @@
 from contrail_provisioning.common.base import ContrailSetup
 from contrail_provisioning.collector.templates import contrail_query_engine_conf
 from contrail_provisioning.collector.templates import contrail_collector_conf
-from contrail_provisioning.collector.templates import contrail_analytics_api_conf
 from contrail_provisioning.collector.templates import contrail_analytics_nodemgr_template
 from contrail_provisioning.collector.templates import redis_server_conf_template
 from contrail_provisioning.common.templates import contrail_database_template
-from contrail_provisioning.collector.templates import contrail_collector_ini
-from contrail_provisioning.collector.templates import contrail_query_engine_ini
-from contrail_provisioning.collector.templates import contrail_analytics_api_ini
 
 class CollectorSetup(ContrailSetup):
     def __init__(self, args_str = None):
@@ -34,7 +30,7 @@ def __init__(self, args_str = None):
             'keystone_service_tenant_name' : 'service',
             'keystone_auth_protocol': 'http',
             'keystone_auth_port': '35357',
-            'multi_tenancy': True,
+            'aaa_mode': 'cloud-admin',
         }
 
         self.parse_args(args_str)
@@ -88,8 +84,10 @@ def parse_args(self, args_str):
             help = "Connect to keystone in secure or insecure mode if in" + \
                     "https mode",
             default = 'False')
-        parser.add_argument("--multi_tenancy", help = "(Deprecated, defaults to True) Enforce resource permissions (implies token validation)",
-            action="store_true")
+        parser.add_argument("--aaa_mode", help="AAA mode",
+            choices=['no-auth', 'cloud-admin'])
+        parser.add_argument("--cloud_admin_role",
+            help="Name of cloud-admin role")
         parser.add_argument("--cassandra_user", help="Cassandra user name",
             default= None)
         parser.add_argument("--cassandra_password", help="Cassandra password",
@@ -104,29 +102,35 @@ def fixup_config_files(self):
         self.fixup_contrail_topology()
         self.fixup_contrail_analytics_nodemgr()
         if not os.path.exists('/etc/contrail/contrail-keystone-auth.conf'):
-            self.fixup_keystone_auth_config_file()
+            self.fixup_keystone_auth_config_file(False)
         self.fixup_contrail_alarm_gen()
-        if self._args.cassandra_user is not None:
-            self.fixup_cassandra_config()
-            self.fixup_ini_files()
+        self.fixup_cassandra_config()
+        self.fixup_ini_files()
 
-    def fixup_ini_files(self):
-        collector_conf_files = ['/etc/contrail/contrail-collector.conf','/etc/contrail/contrail-database.conf']
-        query_engine_conf_files = ['/etc/contrail/contrail-query-engine.conf','/etc/contrail/contrail-database.conf']
-        analytics_api_conf_files = ['/etc/contrail/contrail-analytics-api.conf','/etc/contrail/contrail-database.conf']
-        collector_template_vals = {'__contrail_collector_conf__': ' --conf_file '.join(collector_conf_files)}
-        query_engine_template_vals = {'__contrail_query_engine_conf__': ' --conf_file '.join(query_engine_conf_files)}
-        analytics_api_template_vals = {'__contrail_analytics_api_conf__': ' --conf_file '.join(analytics_api_conf_files)}
-        self._template_substitute_write(contrail_collector_ini.template,
-                                        collector_template_vals, self._temp_dir_name + '/contrail-collector.ini')
-        local("sudo mv %s/contrail-collector.ini /etc/contrail/supervisord_analytics_files/contrail-collector.ini" %(self._temp_dir_name))
-        self._template_substitute_write(contrail_query_engine_ini.template,
-                                        query_engine_template_vals, self._temp_dir_name + '/contrail-query-engine.ini')
-        local("sudo mv %s/contrail-query-engine.ini /etc/contrail/supervisord_analytics_files/contrail-query-engine.ini" %(self._temp_dir_name))
-        self._template_substitute_write(contrail_analytics_api_ini.template,
-                                        analytics_api_template_vals, self._temp_dir_name + '/contrail-analytics-api.ini')
-        local("sudo mv %s/contrail-analytics-api.ini /etc/contrail/supervisord_analytics_files/contrail-analytics-api.ini" %(self._temp_dir_name))
+    def fixup_analytics_daemon_ini_file(self, daemon_name, conf_files=None):
+        dconf_files = []
+        if conf_files:
+            dconf_files.extend(conf_files)
+        daemon_conf_file = '/etc/contrail/' + daemon_name + '.conf'
+        dconf_files.append(daemon_conf_file)
+        if self._args.cassandra_user:
+            database_conf = '/etc/contrail/contrail-database.conf'
+            dconf_files.append(database_conf)
+        ini_conf_cmd = ''.join([' --conf_file ' + conf_file for \
+            conf_file in dconf_files])
+        supervisor_dir = '/etc/contrail/supervisord_analytics_files'
+        bin_dir = '/usr/bin'
+        self.set_config(os.path.join(supervisor_dir, daemon_name + '.ini'),
+            'program:' + daemon_name, 'command',
+            os.path.join(bin_dir, daemon_name) + ini_conf_cmd)
+    # end fixup_analytics_daemon_ini_file
 
+    def fixup_ini_files(self):
+        self.fixup_analytics_daemon_ini_file('contrail-collector')
+        self.fixup_analytics_daemon_ini_file('contrail-query-engine')
+        self.fixup_analytics_daemon_ini_file('contrail-analytics-api',
+            ['/etc/contrail/contrail-keystone-auth.conf'])
+    # end fixup_ini_files
 
     def fixup_cassandra_config(self):
         if self._args.cassandra_user:
@@ -138,7 +142,7 @@ def fixup_cassandra_config(self):
                  self._template_substitute_write(contrail_database_template.template,
                                         template_vals, self._temp_dir_name + '/contrail-collector-database.conf')
                  local("sudo mv %s/contrail-collector-database.conf /etc/contrail/contrail-database.conf" %(self._temp_dir_name))
-
+    # end fixup_cassandra_config
 
     def fixup_contrail_alarm_gen(self):
         ALARM_GEN_CONF_FILE = '/etc/contrail/contrail-alarm-gen.conf'
@@ -278,41 +282,54 @@ def fixup_contrail_query_engine(self):
     def fixup_contrail_analytics_api(self):
         ALARM_GEN_CONF_FILE = '/etc/contrail/contrail-alarm-gen.conf'
         conf_file = '/etc/contrail/contrail-analytics-api.conf'
+        with settings(warn_only=True):
+            local("[ -f %s ] || > %s" % (conf_file, conf_file))
         rest_api_port = '8081'
         if self._args.internal_vip:
             rest_api_port = '9081'
-        template_vals = {'__contrail_log_file__' : '/var/log/contrail/contrail-analytics-api.log',
-                         '__contrail_log_local__': '1',
-                         '__contrail_log_category__': '',
-                         '__contrail_log_level__': 'SYS_NOTICE',
-                         '__contrail_redis_server_port__' : '6379',
-                         '__contrail_redis_query_port__' : '6379',
-                         '__contrail_http_server_port__' : '8090',
-                         '__contrail_rest_api_port__' : rest_api_port,
-                         '__contrail_host_ip__' : self._args.self_collector_ip,
-                         '__contrail_discovery_ip__' : self._args.cfgm_ip,
-                         '__contrail_discovery_port__' : 5998,
-                         '__contrail_cassandra_server_list__' : ' '.join('%s:%s' % cassandra_server for cassandra_server in self.cassandra_server_list),
-                         '__contrail_analytics_data_ttl__' : self._args.analytics_data_ttl,
-                         '__contrail_config_audit_ttl__' : self._args.analytics_config_audit_ttl,
-                         '__contrail_statistics_ttl__' : self._args.analytics_statistics_ttl,
-                         '__contrail_flow_ttl__' : self._args.analytics_flow_ttl,
-                         '__contrail_redis_password__' : ''}
+        config_vals = \
+        { 'DEFAULTS' : {
+            'log_file' : '/var/log/contrail/contrail-analytics-api.log',
+            'log_local': 1,
+            'log_category': '',
+            'log_level': 'SYS_NOTICE',
+            'http_server_port' : 8090,
+            'rest_api_port' : rest_api_port,
+            'host_ip' : self._args.self_collector_ip,
+            'cassandra_server_list' : ' '.join('%s:%s' % cassandra_server for \
+                cassandra_server in self.cassandra_server_list),
+            'analytics_data_ttl' : self._args.analytics_data_ttl,
+            'analytics_config_audit_ttl' : self._args.analytics_config_audit_ttl,
+            'analytics_statistics_ttl' : self._args.analytics_statistics_ttl,
+            'analytics_flow_ttl' : self._args.analytics_flow_ttl,
+            'api_server' : self._args.cfgm_ip + ':8082',
+            'aaa_mode' : self._args.aaa_mode,
+            },
+          'REDIS' : {
+            'redis_server_port' : 6379,
+            'redis_query_port' : 6379,
+            },
+          'DISCOVERY' : {
+            'disc_server_ip' : self._args.cfgm_ip,
+            'disc_server_port' : 5998,
+            },
+        }
         if self._args.redis_password:
-            template_vals['__contrail_redis_password__'] = 'redis_password = '+ self._args.redis_password
-        self._template_substitute_write(contrail_analytics_api_conf.template,
-                                        template_vals, self._temp_dir_name + '/contrail-analytics-api.conf')
-        local("sudo mv %s/contrail-analytics-api.conf %s" % \
-              (self._temp_dir_name, conf_file))
+            config_vals['REDIS']['redis_password'] = self._args.redis_password
+        if self._args.cloud_admin_role:
+            config_vals['DEFAULTS']['cloud_admin_role'] = self._args.cloud_admin_role
 
         # pickup the number of partitions from alarmgen conf
         # if it isn't there, analytics-api conf should use defaults too
         try:
             pstr = self.get_config(ALARM_GEN_CONF_FILE, 'DEFAULTS', 'partitions')
             pint = int(pstr)
-            self.set_config(conf_file, 'DEFAULTS', 'partitions', pstr)
+            config_vals['DEFAULTS']['partitions'] = pstr
         except:
-            self.replace_in_file(conf_file, 'partitions', '')
+            config_vals['DEFAULTS']['partitions'] = ''
+        for section, parameter_values in config_vals.items():
+            for parameter, value in parameter_values.items():
+                self.set_config(conf_file, section, parameter, value)
 
     def load_redis_upstart_file(self):
         #copy the redis-server conf to init

diff --git a/contrail_provisioning/collector/templates/contrail_analytics_api_conf.py b/contrail_provisioning/collector/templates/contrail_analytics_api_conf.py
diff --git a/contrail_provisioning/collector/templates/contrail_analytics_api_ini.py b/contrail_provisioning/collector/templates/contrail_analytics_api_ini.py
diff --git a/contrail_provisioning/collector/templates/contrail_collector_ini.py b/contrail_provisioning/collector/templates/contrail_collector_ini.py
diff --git a/contrail_provisioning/collector/templates/contrail_query_engine_ini.py b/contrail_provisioning/collector/templates/contrail_query_engine_ini.py
diff --git a/contrail_provisioning/collector/upgrade.py b/contrail_provisioning/collector/upgrade.py
@@ -60,7 +60,7 @@ def update_config(self):
             self.fixup_contrail_topology()
             # Create contrail-keystone-auth.conf
             if not os.path.exists('/etc/contrail/contrail-keystone-auth.conf'):
-                self.fixup_keystone_auth_config_file()
+                self.fixup_keystone_auth_config_file(False)
 
         # From 3.0:
         # 1. Alarmgen is enabled by default.
@@ -126,6 +126,22 @@ def update_config(self):
                 ' '.join('%s:%s' % (server.split(':')[0], '9042') for server \
                 in analytics_api_cass_server_list.split()))
 
+        # From 3.10:
+        # 1. contrail-analytics-api.conf provides access to only cloud admin
+        #    role, API server VIP needs to be specified
+        # 2. contrail-keystone-auth.conf needs to be passed to
+        #    contrail-analytics-api via contrail-analytics-api.ini
+        if (self._args.from_rel < LooseVersion('3.1') and
+                self._args.to_rel >= LooseVersion('3.1')):
+            analytics_api_conf = '/etc/contrail/contrail-analytics-api.conf'
+            self.set_config(analytics_api_conf, 'DEFAULTS',
+                'aaa_mode', self._args.aaa_mode)
+            self.set_config(analytics_api_conf, 'DEFAULTS', 'api_server',
+                self._args.cfgm_ip + ':8082')
+            self.fixup_analytics_daemon_ini_file('contrail-analytics-api',
+                ['/etc/contrail/contrail-keystone-auth.conf'])
+    # end update_config
+
 def main():
     collector = CollectorUpgrade()
     collector.upgrade()

diff --git a/contrail_provisioning/common/base.py b/contrail_provisioning/common/base.py
@@ -281,7 +281,7 @@ def setup_coredump(self):
             print "Ignoring failure when enabling kdump"
             print "Exception: %s" % str(e)
 
-    def fixup_keystone_auth_config_file(self):
+    def fixup_keystone_auth_config_file(self, configure_memcache):
         # Keystone auth config ini
         template_vals = {
                          '__contrail_keystone_ip__': self._args.keystone_ip,
@@ -291,7 +291,7 @@ def fixup_keystone_auth_config_file(self):
                          '__contrail_ks_auth_protocol__': self._args.keystone_auth_protocol,
                          '__contrail_ks_auth_port__': self._args.keystone_auth_port,
                          '__keystone_insecure_flag__': self._args.keystone_insecure,
-                         '__contrail_memcached_opt__': 'memcache_servers=127.0.0.1:11211' if self._args.multi_tenancy else '',
+                         '__contrail_memcached_opt__': 'memcache_servers=127.0.0.1:11211' if configure_memcache else '',
                         }
         self._template_substitute_write(contrail_keystone_auth_conf.template,
                                         template_vals, self._temp_dir_name + '/contrail-keystone-auth.conf')

diff --git a/contrail_provisioning/config/openstack.py b/contrail_provisioning/config/openstack.py
@@ -23,7 +23,7 @@ def __init__(self, config_args, args_str=None):
 
     def fixup_config_files(self):
         self.fixup_cassandra_config()
-        self.fixup_keystone_auth_config_file()
+        self.fixup_keystone_auth_config_file(self._args.multi_tenancy)
         self.fixup_ifmap_config_files()
         self.fixup_contrail_api_config_file()
         config_files = [